Biological viruses operate by attaching themselves to healthy cells (hosts) and using them to propagate. Computer viruses do the same, only that it involves files in your computer. When an infected file is executed, the virus code is also executed infecting other files and sometimes delivering additional payload. This is the reason why viruses spread fast.
These are the most common virus families detected by Trend Micro:
Target files vary from one virus family to another. For example, PE_RAMNIT.DEN-O infects .exe and .dll files while PE_SALITY.RL-O infects .exe and .scr files.
Learn what to do in the event that a virus outbreak occurs in your network.
Apply the recommended settings
Applying the recommended settings offers the best protection against malware. Please refer to the KB article on the best practices in configuring OfficeScan for malware protection.
Temporarily disable the scan exclusion until the outbreak is stopped
- Log on to the OfficeScan management console.
- Go to Agents > Agent Management.
- In the Agent Tree, select the OfficeScan Server/Domain/Computer.
- Go to Settings > Scan Settings > Real-time Scan Settings.
- Uncheck Enable scan exclusion.
- Do the same for the other scan types:
- Manual Scan Settings
- Scheduled Scan Settings
- Scan Now Settings
- Click Save.
Identify and clean the infection sources
- Export the Virus/Malware Logs.
- Check for infection sources under the Infection Source column.
- Clean the infection sources using ATTK and ensure that they have OfficeScan Agent installed
Check for Unmanaged Endpoints
Computers that do not have antivirus software installed are prone to infection. They could potentially compromise other computers in the network.
The Unmanaged Endpoints in OfficeScan can be found under Assessment > Unmanaged Endpoints. It can display computers with the following status:
- Managed by another OfficeScan server
- No OfficeScan agent installed
- Unresolved Active Directory assessment
Run a regular security assessment to check for Unmanaged Endpoints and install OfficeScan agent on unprotected computers.
What to do when OfficeScan fails to clean an infected file
- Ensure that you are using specific scan action for Virus. The recommended scan actions are:
Unlike Trojans or Worms which can immediately be deleted or quarantined, the the 1st scan action for Virus should be Clean - OfficeScan will attempt to remove the virus code that was injected into the file. If the 1st scan action is different, ex. delete, then you will not be able to recover the file which may be critical to your system/application.
- 1st scan action: Clean
- 2nd scan action: Quarantine
- A bandage pattern maybe required for the cleanup. Submit the infected file to Trend Micro Technical Support for analysis.